I don't always get spam, but when I do, I exercise my rights under the Spam and Privacy Acts.
Of all the unsolicited commercial messages that I have followed up on, I have never once been provided with evidence of consent. At best I have received a variation of the following:
Rather than just let these multi-billion dollar corporations and government agencies get away with commercialising my data without my consent and just telling me to unsubscribe, I have instead:
This site aims to bring some accountability to those in, and leveraging, the direct marketing industry who have been getting away with these practices for years.
These publicly published reports form the basis for the detailed submissions into the OAIC complaint process.
Let's see if sunlight really is the best disinfectant.
In 2008, I provided my profile data to an e-tag company, using an email address that specifically included the company's name. This email address was exclusively given to that particular company, and was solely used to receive statements during a nine-month period in 2008.
During that time, the associated privacy policy explicitly prohibited the use or disclosure of my personal information for marketing purposes, and gave the option to close my account if that policy should ever change. This policy remained unchanged when I closed my account.
This prompted a 3 year (and counting) investigation into the direct marketing industry, aiming to uncover how my personal information was disclosed, obtained and sold, using the two key elements of the Spam and Privacy Acts designed to protect us and afford us rights over our own data.
During this time, a number of other unrelated businesses also sent unsolicited commercial messages, and were also unable to meet their obligations. Some of the parallels between these unrelated events and businesses appeared suspiciously consistent.
Those interactions will also be published here.
Company 1
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"It seems that (Marketer 1) took it upon themselves to write a review of the (Company 1 Product) and send it to a list. The question of how they built this list will need to be taken up with that company directly."
"a trace of the redirects performed by these links shows that they redirect the browser to a (Company 1) website via (Data Broker 1)
"one of the commercial emails that I received referenced (Data Broker 0) in a source parameter. (Data Broker 0) apparently went into liquidation just prior to this unsolicited marketing campaign, with many of its staff forming a new company called (Data Broker 1), which, as mentioned below, is directly referenced from the (Customer 1) commercial messages that I have received."
"According to this archived Advertisers page from the old (Data Broker 0) website, (Customer 1) was listed as one of their customers."
"I have had a response from the team investigating your concern. They have replied and advised that they have had communication from (Marketer 1) advising this matter had been resolved."
"Information received stated that ‘ACMA is not investigating this matter or making a finding that (Marketer 1) has breached spam laws at this time’."
“Please see attached report provided by (Marketer 1). (Marketer 1) is solely responsible for suppling the “Opt In” source and relevant privacy policy. (Company 1) does not have access to these details and can provide no further information.”
"Thanks for the update. Unfortunately the issue has not been resolved. As mentioned this morning, it has been 96 days since I requested the source of my personal information from (Customer 1)’s marketing partners and it has still not been provided."
"I have seen that report from (Marketer 1) previously, which was provided via one of (Marketer 1)'s business partners. That business partner has since terminated their contract with (Marketer 1) as a result of their failure to resolve this issue. There are numerous inaccuracies in that report"
ACMA: "While this step is not a formal investigation or finding, it does not mean that the ACMA has found the business to be compliant with spam rules."
Company 2
Evidence of Consent
2/10
Provided Data Source
5/10
User List Accountable
9/10
Ensures Compliance
9/10
"I am writing to you to confirm that I have now been notified of this correspondence trail and will offer our full support to you and the (Company 2 Parent) Privacy Office in investigating this."
"I have attached the original email received back on the 10th of April. The email address this was sent to is Company0@redacted.net
Here is a brief history that may help. Feel free to pass this on:"
"Should the marketing agency reach out to you directly in their investigation I have asked that I be copied on the email so I am aware at all times of the process and responses."
"We have a zero tolerance policy for matters of this importance and (Marketer 1) will never again be involved in any project associated with (Company 2).
"The last update was that they would provide me with an update as soon as they have the information back from their “partner”, who they have not named. That was Wednesday last week."
"I have now received two written response for you. One from (Data Broker 1) - a partner of our marketing agency, and one from the database provider, (Marketer 1)."
"The response from (Data Broker 1) seems quite appropriate and reasonable. There are a couple of minor inaccuracies that appear to have been sourced from (Marketer 1)."
"(Marketer 1)'s response, on the other hand, has a number of inaccuracies."
"Feel free to pass any or all of this on to (Data Broker 1)."
"my expectation is that (Marketer 1) will name an aggregator business that sells personal information to direct marketers and their partners rather than a customer facing company that actually solicits or infers consent from their users directly. If this assumption proves accurate, I will then need to engage in further efforts to solicit the actual source of my personal information from that aggregator. I am happy to leave out any mention of, or make specific references to, (Company 2) in those discussions. While I don’t currently have any plans to make these discussions public, there are a growing number of people cc’d on those other email trails and I can’t guarantee that they won’t end up in a public forum or media."
"In respect of your offer to leave out mention of / specific references to (Company 2) as the matter continues to be investigated I will gratefully accept, but ask that you do what you feel is right and comfortable. I believe the matter at hand warrants thorough investigation and we (individuals and businesses) all have a role to play in ensuring the integrity of what we do."
Government Organisation 1
Evidence of Consent
0/10
Provided Data Source
2/10
User List Accountable
0/10
Ensures Compliance
0/10
"It appears that (Government Organisation 1) is sending out unsolicited marketing material via this illegal spammer"
"(Marketer 1) confirmed that a valid opt-in exists for the email address you provided to us, which is why you received an email"
“I can’t find any evidence of any means to sign-up or log in to that site let alone agree to any terms. The ‘members' their About Us page refers to seem to have no means of becoming members voluntarily."
"For privacy reasons, (Marketer 1) could not (and did not) release your opt-in details to us, or provide us with any other personally identifiable information about you. We understand (Marketer 1) will engage with you directly to manage your subscription and any concerns you may have."
"The representatives of (Marketer 1) have lied in their response to (Government Organisation 1). I hereby grant (Marketer 1 cc'd) and their representatives permission to release my alleged opt-in details to (Government Organisation 1) and by doing so remove any claims to privacy constraints that would otherwise prevent the release of those claimed details."
"Please note (Marketer 1) will now engage with you directly regarding any concerns you have."
"The suggestion that I should engage with (Government Organisation 1)’s business partners to address legal issues with their actions executing (Government Organisation 1)’s paid engagements is not a sufficient resolution to this complaint, particularly since I had already tried that before raising this complaint directly with (Government Organisation 1) because taking that approach was unsuccessful."
Data Broker 2
Evidence of Consent
5/10
Provided Data Source
5/10
User List Accountable
5/10
Ensures Compliance
5/10
"This unsolicited marketing material has been sent to an email alias that was setup 13 years ago and only ever used for a single specific company. This spammer has illegally obtained this decade old identity profile that has never been used anywhere else and has started sending unsolicited marketing material to this address."
"This information was obtained from the company (Data Broker 3).
(Data Broker 3) contact details can be found below"
"Thanks for the info, however that is not the email address that the unsolicited marketing material was sent to in contravention of the Australian spam act. This actually raises further questions as to why (Data Broker 2) has multiple separate contact details for me since I do not have any relationship with this company and therefore have never given my express or implied permission for my contact details to be used for any form of marketing."
"The email address Company0@redacted.net was also found on our database and this was also sourced via (Data Broker 3).
Both addresses were supplied to (Data Broker 2) by (Data Broker 3) in July 2018."
Data Broker 3
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"Please provide me with the source of my contact details that (Data Broker 3) has been passing on to spammers."
"while I await (Data Broker 3)'s response to my request for the source of my profile data that has presumably been sold on to (Data Broker 2) and others, I am still receiving the same illegally distributed, unsolicited marketing material"
"It seems appropriate to keep everyone responsible for this in the loop each time it re-occurs while I’m awaiting these requested details."
“Your records would have been supressed instantly the moment you emailed us so i can't comment on any further emails you are receiving.
I've also, never dealt with (Company 3) so i can't comment.
Our team is working to find if and where we have collected your data from.
Please bear in mind that COVID lock downs nad peopel working from home are adding time onto requests such as your but i hope to have the information to you by Wednesday.”
"Thanks, Earl. I appreciate the direct response.
I’m genuinely interested in finding out how this honeypot email address found its way into the system."
"If the record can from us i'll come back to you with the source listed on our system by Wednesday."
"Just checking in on the progress. I didn’t see anything on Wednesday or Thursday."
"It is now 1 week past the date that you promised to provide the source of my contact details that appear to have been sold on to other marketing organisations without my permission. I didn’t see a response to my request for a revised ETA last Friday either."
"It has now been 21 days since I requested the source of my personal information from (Data Broker 3)."
"I'll give you a call tomorrow.
Can you send me your number please."
"Given the nature of this issue, I would prefer to keep a digital paper trail of all discussions.
Please send the details requested via email."
Data Broker 3
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"It has now been 34 days since I originally requested the source of my personal information used in these unsolicited marketing campaigns.
Please provide the source of my personal information."
about 7 weeks after initial request
"Apologies for the delay in coming back to you. The current difficulties with lockdown, combined with the fact that it took a while for our team to locate your record mean that i was unable to come back to you until now.
Here is the information that we held on you on our database:
Name - Mr Tristan Austin
Address - <redacted: someone else's current address>
Email - tristan.redacted.net
Collection date : 19/4/2015
Collection Source : Win a Trip to London, Co-reg competition.
I was trying to locate the graphics for the competition but due to the fact that it was over 6 years ago it has to be an unsuccessful search."
There are a few issues here:
1. I never entered any such competition. If I had, it seems odd that I would have entered an old address that I had not lived at for some time at the alleged date of collection. As per the Spam Act 2003, section 16, subsection 5), the evidentiary burden is on (Data Broker 3) to back up this claim. The inaccurate details provided below do not meet this requirement of the act.
2. The information I requested primarily relates to the Company0@redacted.net email address
The false claim regarding issue 1 above aside, it has now been 48 days since I requested the source of my personal information as it pertains the Company0@redacted.net email address.
Please provide the source of my personal information."
see the transcripts and commentary regarding this discussion that went on for a further 3 years (and counting)
Marketer 1
Evidence of Consent
0/10
Provided Data Source
2/10
User List Accountable
0/10
Ensures Compliance
0/10
"I have decided to not remove this alias or unsubscribe it from this spammer so that I can pass on this information to the people using them for advertising purposes and to make sure they are held accountable for their illegal marketing campaigns and data theft."
“This is a serious allegation, and (Marketer 1) does not hold and would never use or accept any data that was not collected in accordance with the APP guidelines.”
“The other data sits with a partner org. I have submitted a request to their IT team to get the information. Below is what I have as of now”
################
Date of consent: 05/03/2015
Category: F and B
Source Collection Method: Purchase
################
“My request is for the source from which my personal information was acquired. It states below that it was purchased. I need to know from who.”
“Based on advice from the OAIC, I will provide you with the details of the partner organisation (see below). Once I have done this, I have met all my obligations under the ACT, and all records relating to yourself (if any) will be removed from our systems, and I will consider this matter closed.
Company: (Data Broker 3)”
“Thanks. I’ll take this up with Earl.”
“never heard of an organisation named "(Marketer 1)" and definetely never sold them any data. Looks like they are trying to offload the problem.”
“nor have they attempted to contact me or anyone in my organisation ever. There are no missed calls, emails or any attempt at contact.”
“This is an interesting and unexpected development.”
"(Data Broker 3) split into two organisations, a legal and compliant data sharing agreement between (Data Broker 3) and the new entity (Data Broker 4) was created and agreed to by both parties.
(Data Broker 4) (now (Data Broker 5)) was later restructured, and a new entity was formed ((Marketer 1)). (Data Broker 4) (now (Data Broker 5)) also entered into a legal data sharing agreement allowing both parties shared access to the data."
"Earl, are you in agreement with this?"
" "
Company 4
Evidence of Consent
0/10
Provided Data Source
5/10
User List Accountable
0/10
Ensures Compliance
0/10
“(Data Broker 6)s marketing database contains personal information obtained from publicly available sources, surveys, competitions and other data supply companies. (Data Broker 6) has advised that all individuals in this database have consented to their data being shared with third parties.”
“Unfortunately, (Data Broker 6) has either lied to (Company 4) about the consent status of entries in their database, or they were lied to by whoever illegally sold them my personal information. In either case, their database verifiably does have individuals present that have not consented to receiving commercial messages, and as of this email, (Company 4) is now aware of this."
"I respectfully request that we skip the part where (Company 4) insists that I consented and that I should simply unsubscribe. It should be in (Company 4)’s interests to help track down those responsible for illegally acquiring and selling my personal information to (Company 4) and others.”
"This information is not directly held by (Data Broker 6), however our data source (Data Broker 7) has advised that your details were originally collected on 19/04/2015 as part of a Win a trip to London competition. We understand your information was provided to (Data Broker 7) by (Data Broker 3)"
“Please welcome (Company 4), (Data Broker 6) and (Data Broker 7) to the discussion. The thread copied below shows how yet another unsolicited marketing campaign has led back to (Data Broker 3) as the source of my personal information with no sign of any evidence of consent for my data to be shared with anyone.”
"never dealt with (Data Broker 7) ever and have no idea what they do mate."
"(Data Broker 7 CEO) has since confirmed that (Data Broker 7) received my details via another of his entities called, (Data Broker 8), which obtained it from (Data Broker 3) directly."
" "
Company 5
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"(Company 5) has potentially suffered a security breach, resulting in the leak of personal information to at least one seemingly unscrupulous business that has been selling my personal information into the direct marketing industry."
"These commercial and government organisations have provided the details of the identity brokers from whom they sourced my personal information, or who used it on their behalf, which include (Data Broker 2), (Data Broker 6), (Data Broker 7), (Data Broker 8) and (Marketer 1). All of whom have ultimately identified (Data Broker 3) as the source of my illegally acquired personal information that only (Company 5) should legally hold."
"I have no idea who (Company 5) are or what they do but if a representative from there is on this call I would welcome them to contact me"
"This is now getting quite ridiculous. Who are (Company 5) mate. Time to get your facts right."
"we require further information"
"Please be assured (Company 5) takes customer privacy seriously and we look forward to hearing from you."
"I have long taken precautions when providing my contact details to businesses. The email address that I provided to (Company 0) uses ‘(Company 0)’ as an alias for the same email account that I am using to send this email. It has never been used to send emails to anyone, not even to (Company 0). It was only ever provided to (Company 0) and only ever used to receive emails during that roughly 9 month period in 2008.
To this day, this email address is not found on any public sites, and does not appear to have been part of any known data breaches."
"At the time I opened my account, the Privacy Policy of (Company 0) was very explicit and clear on my personal information not being used or disclosed for marketing purposes."
"The (Company 0) Privacy Policy remained unchanged 9 months later when I closed my account. "
Company 5
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"(Company 5) has conducted a thorough investigation into your complaint and concluded that we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations. I can assure you that (Company 5) has not and does not sell our customers personal information data to any entity."
"(Company 5)’s Security Incident and Event Management systems monitors all systems and alerts on any unauthorised activity. We inspected the logs of the alerts issued by that system regarding unauthorised access to the systems that hold your details and verified that no unauthorised access had occurred to your records. We have also performed a review of the access to these systems since being notified and this review has also found no breach of the systems, or customer data."
"Your personal information, including your account details and email address, was stored on a multi-layered system which is designed to protect the sensitive customer data (Company 5) holds from unauthorised access. These systems include Intrusion Prevention, Network and Host firewalls, network segmentation and strong authentication monitored constantly by a dedicated team in a Security Operations Centre and a Security Incident and Event Management system.
"(Company 5) also provides training to its staff with respect to protection of personal information and that training includes the requirement that information that it holds not be used for any improper purpose."
"The fact that there is even speculation that we somehow gathered this information illegally is not only unfounded but blatantly false.
Tristan, as you can see there was no data breach."
"Regarding these two statements:
- 'we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations'
- '(Company 5) has not and does not sell our customers personal information data to any entity'
Can you please confirm that (Company 5) 'has not and does not' disclose 'customer's personal information data to any entity'?"
"the terminology used in the current (Company 5) Privacy Policy specifically refers to disclosing (not selling) customer personal information for marketing purposes, including 'the products and services of other people, or related special offers from our business partners.' It is worth noting that the initial batch of unsolicited commercial mail that I received was car or travel related."
"Secondly; it is great to hear that my personal information is now stored securely and that staff are now trained appropriately. I know that neither of these were the case when I was a customer of (Company 0). I have attached an extract of my account closure letter, dated 08/12/2008, which discussed the poor security practices of (Company 0) at the time.
Please confirm the point in time that (Company 5) introduced the security controls capable of preventing or detecting a security breach that could have led to the exfiltration of my customer data. This point in time will be after the period during which (Company 0) call centre staff were required to request each customer’s login name and password over the phone on every interaction and log into their accounts directly."
Company 5
Evidence of Consent
0/10
Provided Data Source
0/10
User List Accountable
0/10
Ensures Compliance
0/10
"we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations"
"we could only share your personal information for marketing purposes if you had opted into receiving marketing communications"
"We can confirm that we took over full ownership of (Company 0) in February 2019 and were responsible for the security of (Company 0) customer data at this point."
"It is starting to feel like there is a reluctance to categorically state that (Company 5) explicitly did not directly disclose my personal information to any organisations for marketing purposes. Every statement provided so far on this matter has included qualifiers, constraints or methods that limit the scope of the response.
(Company 5) has so far stated:
- 'we have not disclosed your personal information to (Data Broker 3) nor any other of the named organisations'
- '(Company 5) has not and does not sell our customers personal information data to any entity'
- 'we could only share your personal information for marketing purposes if you had opted into receiving marketing communications'
It should not be difficult to make an absolutely explicit statement one way or the other. I would really appreciate it if we could put this question to be bed.
Did (Company 5) (or (Company 0), any other subsidiaries or partners) disclose my personal information for marketing purposes to any organisations?
This should prompt a simple “Yes" or “No” answer, followed by an elaboration on who received my data, what data was disclosed and when, if the answer is “Yes.”"
"Even in this worst case scenario, the point in time that my personal information entered the direct marketing industry was well within the period of unsecured customer data at (Company 0)."
"I would just like to reiterate that (Company 5) did not have management control over (Company 0) in 2008, so we are unable to provide you a simple yes or no answer. As (Customer Resolution Lead) previously mentioned ‘we took over full ownership of (Company 0) in February 2019 and were responsible for the security of (Company 0) customer data at this point’."
"We suggest that any further correspondence regarding this matter should be directed to the Tolling Customer Ombudsman and/or OAIC."
"Please clarify any of these points if they do not accurately represent (Company 5)’s findings provided so far.
In short; none of the three possibilities presented in my original email on August 29 have been ruled out. They actually all seem more likely now than when I first tabled them."
(tap, click or swipe right and left for more)
Disclaimer: I am not a lawyer. I don't even play one on TV.
The following is based on my interpretation of the Spam & Privacy Acts. These have been stated repeatedly to every party involved in these matters, and has never once been contradicted or challenged by anyone that I have asked to comply with this interpretation. However, I am always open to any clarifications if any of the following misrepresents our rights under these acts.
The two key elements of the Spam and Privacy Acts that I have found advertisers, direct marketers and their data brokers often fail to comply with are:
This section of the Spam Act 2003 protects individuals from receiving unsolicited commercial electronic messages. It puts the burden of proof on direct marketers to show that they have obtained the recipient's consent.
(1) A person must not send, or cause to be sent, a commercial electronic message that:
(a) has an Australian link; and
(b) is not a designated commercial electronic message.
(2) Subsection (1) does not apply if the relevant electronic account holder consented to the sending of the message.
(5) A person who wishes to rely on subsection (2), (3) or (4) bears an evidential burden in relation to that matter.
Australian Privacy Principle 7 deals with the protection of personal information in the context of direct marketing. It requires organizations to inform individuals of the source of their personal information when requested.
7.45 An individual may ask an organisation to identify the source of the personal information that it uses or discloses for the purpose of direct marketing, or for the purpose of facilitating direct marketing by other organisations (APP 7.6(e)).
7.46 The organisation must then notify the individual of its source, unless this is impracticable or unreasonable (APP 7.7(b)). It is the responsibility of the organisation to be able to justify that it is impracticable or unreasonable to provide this notification.
7.47 Notification of the source of the personal information must be given within a reasonable period after the request is made (APP 7.7(b)). A ‘reasonable period’ would generally be 30 days unless special circumstances apply.
In addition to the above regulations, the ACMA and ACCC provides the following statements:
Know your responsibilities for email lists
Take care when you buy or use a marketing list.
You are still responsible for making sure you have consent for any addresses you use.
Most Australian businesses use advertising to promote their goods and services. Whether they advertise through television, radio, the internet or print media, they must ensure that their advertising complies with the law.
With over 3 years worth of correspondence to add annotate, rate and publish, updates will be pushed out over time.
The Change Log will track all updates as they are made. Once an update is logged, a post will also be published on LinkedIn.